Issue 1 Endorsed on 3 May 2012

(1)

E-Invoicing Assessment Issue 1 ©EDIFICE 2012 06/05/2012

Issue 1

Endorsed on 3 May 2012

Copyright (c) EDIFICE 2012

Notwithstanding the fact that the utmost care has been observed in the collecting, drawing up and formulating of data, EDIFICE can under no

circumstances be held liable for errors, omissions or misinterpretations as a result of the information compiled in the guidelines.

EDIFICE

The Global Network for B2B Integration in High Tech Industries EDIFICE secretariat Dora Cresens Tiensestraat 12 B-3320 Hoegaarden Belgium Tel: +32 16 437 415 Email: [email protected]

EDIFICE

(2)

Publication Summary

Title: E-Invoicing Assessment outline

Author (s): EDIFICE/BILL

Issue number: Issue 1

Date of Issue: 06/05/2012 Number of Pages: 13 Readership: All Language: English Abstract:

Comment: Comments and change requests to this document should be submitted to: EDIFICE secretariat

(3)

Comparison to previous Issue ... 4

1 Objective and structure of this document ... 5

2 Process overview ... 5

2.1 Step 1: build and maintain a team and common knowledge base ... 6

2.2 Step 2: set scope and perform a self-assessment ... 6

2.2.1Scoping ... 6

2.2.2Self-assessment ... 7

2.2.3Fit/gap analysis ... 9

2.3 Step 3: Adopt a strategy and action plan ... 9

2.3.1Service provider assessment criteria ... 9

2.4 Step 4: Design and implement ...13

(4)

Comparison to previous Issue

No previous Issue exists

(5)

1 Objective and structure of this document

The objective of this document is to guide EDIFICE members through the various stages of setting up and maintaining legally compliant e-invoicing in a cost-effective manner. The emphasis in this document is on how to perform a high-level self-assessment of the business appropriateness and legal compliance of a company’s existing or planned e-invoicing processes and supporting systems and, where the business chooses to do so, to assess the adequacy of solution and service providers assisting with e-invoicing

processes.

This document does not address or point to the requirements or audit practices of individual countries. Generally the scope is e-invoicing within Europe, although many of the processes and principles described can be applied for global e-invoicing projects. References to normative requirement or best practice frameworks are limited to Europe. EDIFICE may in a future version of this document expand such aspects to other

countries.

2 Process overview

Electronic invoicing is not just another form of B2B messaging: the invoice process is the principal input to most companies’ accounts and a critical process point in any sales or purchase process. In addition to being the backbone of a company’s financial processes and governance, invoices are the focus of formalities, legal or documentary aspects of trade finance, customs, tax and other inevitable trade processes. Dematerializing invoices therefore requires particular attention on all levels of the enterprise. This document suggests a five-step process to ensure a responsible transition from paper to electronic invoicing.

Preparatory steps:

(6)

2.1 Step 1: build and maintain a team and common knowledge base

To manage electronic invoicing from inception and throughout production generally requires business, technical and legal input. Which specific roles/departments must be included in an e-invoicing team depends on a company’s circumstances, but the following must be considered:

 Business – Direct and In-direct Channels  Accounting (AR/AP)

 External Advisors/Auditors

 IT – various – incl. Architects, Process Engineers  Legal/tax/compliance  Supply chain  OTC  Service Centers  Customer service  Billing  Security

While the appointed people for these departments need to work as a team particularly in the preparatory steps 1-3, it is important to maintain internal relationships with these colleagues throughout the life of electronic invoicing to establish an ongoing knowledge base and continuity of the required change management and approval processes. Ideally the internal team would work under the direct responsibility, or at least with the explicit sponsorship, of the CFO; a project manager for the preparatory steps also often reports (directly or indirectly) to the CFO.

The first thing to do with the selected team is to make sure members have a common understanding of electronic invoicing. This can be done through circulating reading material, but workshops in which different stakeholders explain their vision and

requirements are often very beneficial. In addition, it is strongly recommended for the group to interact with the company’s internal and external auditors, as well as tax advisors. The group should also ensure that all members, as well as other decision makers required in the process, are up to date on the company’s vision and strategy in relation to accounting and governance practices, B2B communications, planned process, major IT infrastructure, development and deployment philosophy and resource

availability, legal and organizational changes etc.

All project team members should recognise and underwrite the contribution of their department or discipline as it is vital that the contribution of each discipline contiunues over time through each implementation project. Members of wider teams which are established for individual projects will rely on continuity of contributions from the core team members.

The Project Manager must facilitate the involvement of appropriate team members at each phase of a project and publish and maintain project plans which clearly show the continuous responsibilities of all parties.

2.2 Step 2: set scope and perform a self-assessment

2.2.1 Scoping

Before starting an assessment, you should clearly define the scope of invoicing processes you wish to evaluate in terms of e.g:

(7)

 Sales invoices

 Purchase invoices

 Inter-company invoicing

 Geographies – business and tax, cross-border and domestic

 Product/service lines

 Legal entities involved

 Specific trading partners – customers and suppliers

 Specific ERP or B2B platforms

 Credit notes/corrective invoices

 Self-billing invoices

 PO/non-PO invoices

 Direct/Indirect purchasing

 Sales channels

2.2.2 Self-assessment

This section contains questions which companies should collect answers on within their organization. These answers should be a comprehensive basis for a self-assessment of their systems, policies, practices involved in in-scope invoicing processes.

The CEN e-Invoice Workshop documents, particularly the Good Practice e-Invoice

Compliance Guidelines at http://www.e-invoice-gateway.net/knowledgebase/documents/

are recommended reading for a complete background into the scenarios against which you may be assessing your e-Invoice project.

The following questions can assist you in performing a self-assessment; results should be discussed and accepted by all relevant departments/disciplines within your corporation. You may involve external technical, tax, legal, process, accounting etc. experts if so required.

 Collect information on your (including relevant subsidiaries’) general relationship with tax authorities. To the extent that such information is available, when was the last VAT audit performed for each VAT registration and what was the

outcome? Were there any comments/remarks related to, for instance, electronic invoicing, scanning of paper invoices or the usage of optical archives?

 Collect information on VAT or other tax advisers, as well as law firms with

competence in tax issues, used in different parts of your organization. Have these advisers been involved in your activities around e-invoicing or, if you have not started such activities, would you normally involve them?

 For the corporate or group level, where relevant list existing solution components, responsible owner (legal entity within your organization), party to which operation of the component is outsourced (separating system and application level

outsourcing where appropriate), and the country in which the application is physically installed on hardware for e.g.:

 ERP#1

 ERP#2 etc

 Enterprise Application Integration (EAI)

 Workflow

 Invoice scanning

 Archive

(8)

If you have a (partially) decentralized setup for the above-mentioned types of IT functionality, please provide the same information per relevant geography.

 Further, please specify if any third-party B2B service providers – such as e-invoicing “hubs”, EDI service providers and electronic signing/validation service providers – are in use by you for any relevant invoice flows. Be as specific as possible in naming the service provider and the types of services provided.

 Create a table of in-scope invoice flows from a VAT/GST perspective rather than from a business or accounting perspective. To do this, map legal units in scope to different VAT registrations used for the sending or receipt of e-invoices, also listing annual volumes for each flows.

 List which invoicing processes, if any, currently conducted by your organisation (potentially) within the scope of the project are or may today be considered electronic invoicing. Also please indicate which invoicing processes are today “parallel”, meaning that the original invoice is sent/received on paper but an electronic message is sent/received with the same content for integration or “advance notice” purposes.

 If you currently operate one or more archiving solutions that could be considered for use as legal archive for the e-invoicing solution, elaborate on the way in which your legal entities currently have access to this archive, i.e. what interfaces and, if any, access controls are currently in place. Are you planning consolidation to a single archive for all your entities engaging in e-invoicing after implementation of the system? List search criteria that can be used in each archive, and collect existing documentation around security, third party audits etc of these archiving solutions.

 Do you currently use self-billing within the scope of this project?

 Please describe all controls in place to ensure that sales invoices in scope can be demonstrated during the mandatory archiving period to reflect a real supply e.g. controls (process e.g. separation of duties or technical) in relation to:

 Trading partner identification

 Use of correct VAT values and rates

 Timely issue of all invoices

 Use of B2B or third party messages in addition to invoices e.g. contracts, purchase orders, payment messages, bank statements, logistics/customs data or documents.

For each control listed, describe your strategy, if any, to constitute, maintain and ensure accessibility of evidence of the controls listed above comprising a reliable audit trail allowing you to demonstrate that these sales invoices reflect an actual supply.

 Describe all controls in place to ensure that purchase invoices in scope can be demonstrated during the mandatory archiving period to reflect a real supply e.g. controls (process e.g. separation of duties or technical) in relation to:

 Trading partner identification

 Invoice approvals

 Use of B2B or third party messages in addition to invoices e.g. contracts, purchase orders, payment messages, bank statements, logistics/customs data or documents.

For each control listed, please describe your strategy, if any, to constitute, maintain and ensure accessibility of evidence of such controls with a view to constituting an audit trail allowing you to demonstrate that these purchase invoices reflect an actual supply.

 Generally describe your internal control environment to the extent such controls are applicable to in-scope invoicing processes. There are excellent references to controls in the CEN Guidelines.

(9)

2.2.3 Fit/gap analysis

The output of the self-assessment can be a fit/gap analysis document that can serve as a basis for determining the need for changes or additional processes or technologies, whether managed in-house or outsourced. It is important for the fit/gap analysis to take into account a complete listing of legal requirements for all jurisdictions affected within the chosen scope; this can be done by leveraging internal tax and legal expertise (e.g. country tax managers of lawyers working for subsidiaries) or through external expert advice, for example from a tax advisory or other consulting firm. In practice, often both will be needed to some degree in order to understand the complete picture.

2.3 Step 3: Adopt a strategy and action plan

The fit/gap analysis performed in Step 2 should clearly show what are the missing pieces required for the in-scope e-invoicing processes to function in accordance with business, tax and legal requirements.

Importantly, the team should be conscious of the fact that this analysis can only be a snapshot in time – change is systemic in e-invoicing, and the company’s ability to anticipate and address changes in time to mitigate associated risks will to a large extent determine the success of a company’s approach to e-invoicing.

In this step, the team should formulate a strategy, consisting of one or several high-level objectives or rules that the company should continue to strive towards or meet

regardless of activities undertaken for tactical reasons. The strategy should be signed off by the CFO or other appropriate responsible manager.

Items that can be included in a strategy are:

 Full in-house implementation of e-Invoice processes

 Extending processes to include e-Procurement or Ordering where appropriate

 Degree of outsourcing of technology, processes, trading partner onboarding etc

 Acceptable regulatory compliance risk level

 Geographic center(s) of consolidated processes

 Sponsoring of smaller trading partner e-invoice capabilities (e.g. archiving)

 Tolerance towards imposed e-invoicing services, interfaces etc.

 Tolerance towards reticent business partners

 “Big bang” or gradual implementation

 Change Management

 Degree of process/solution centralization or decentralization

Based on the strategy, a plan can be built outlining specific activities towards implementation.

2.3.1 Service provider assessment criteria

If you decide to outsource some or all e-invoicing processes to a service provider, the following checklist can be used as a basis for evaluating their capabilities:

Good practice adherence

 Has the service provider performed a self-assessment against the CEN e-Invoicing Compliance Good Practice Guidelines? If so does the service provider agree that its self-assessment be used for a detailed comparison with other service

providers?

Security and quality assurance

 Please list security, quality and other standards you comply with.

 Please list any audit reports you regularly obtain from certified third party auditors.

(10)

E-Invoicing Assessment Issue 1 ©EDIFICE 2012 06/05/2012  For each of the above, describe the scope in terms of service components you

offer.

Interoperability

 Please list current or planned interoperability partners.  Is interoperability with other service providers charged for:

o For sales invoices? Under what conditions? o For purchase invoices? Under what conditions?

Original invoices and copies

 Please list original invoice formats supported within and outside standard pricing.  How do you ensure that a single original invoice is processed and stored for each

trading partner, and that copies are recognizable as such?

Invoice issuance services

 Do you offer issuing invoices in name and on behalf of suppliers? If so, what processes do you support:

 Scan/convert paper to electronic original.

 Based on electronic invoice data from the above or received from supplier or his service provider:

o Using third party signature.

o Using supplier’s own signature (where required by supplier or applicable law)

o Pre-authorization submission to competent tax administration, where required.

o Other 3rd party issuance methods under EDI, business controls or other means options.

 Do you offer support for using a supplier’s public key certificate to connect to a compulsory tax administration pre-authorization service? If so please specify additional fees charged, if any, for this setup.

Invoice receipt services

Do you formally take responsibility for any of the following invoice receipt functions:  Signature validation.  Data validation o Legal requirements  Supplier’s country?  Buyer’s country?  VAT/GST requirements?

 Commercial law requirements?

o What additional custom data validation can you offer and at what fees, if any?

Transmission and processing controls

 First and last mile protection; transmission and processing when no signature used.

o Please list supported secure transmission methods supported within and outside standard pricing.

o How do you ensure consistency and audit trails for any transmission where integrity and authenticity of the invoice (data) cannot be fully ensured?  Which invoice formats are supported (i.e. cXML, xCBL, RN, UN/EDIFACT, PDF,

portfolio PDF etc.)?

 Can we use a structured interface format (i.e. xml or OAGIS based) of our choice?  Is a transformation of our interface format to the customer required format

supported?

 Are customer specific mapping deviations from established standard mapping supported?

(11)

E-Invoicing Assessment Issue 1 ©EDIFICE 2012 06/05/2012  For both inbound and outbound messaging, which transport mechanisms are

supported (i.e. AS2, FTP, HTTPS, MQ)?

 What kind of connectivity do you support? (i.e. Internet, leased line, VAN's, private network with connections to other companies, etc)

 What security protocols for the connection do you support? (i.e. HTTPS, TLS/SSL, AS2, secure IP tunneling, encryption, VPN, etc)

 Can a direct connection to our systems be established?

 After the connection with our systems has been established, what is the average time required to board a customer?

 Does a web user interface exist to support manual creation of invoices and/or correction of failed invoices?

 Does a size limitation exist for in or outbound messages?  Is electronic invoice rejection supported?

 Is automated notification of failures / acknowledgements supported?  Would you be able to support back interfaces to our systems (e.g. for

reconciliation or archiving)?

 Do you already have established connections with other service providers?  Describe the controls in place for ensuring accuracy and completeness of any

invoice (data) conversion that takes place in the course of your processing or storage operations in relation to the proposed services. How are such controls made auditable, and for how long is this evidence stored?

Legal and compliance assurance

 Describe legal requirements (e.g. VAT/GST, commercial law, accounting law, privacy law, corporate governance etc), if any, you monitor guarantee compliance with:

 Per service component proposed  Per country supported

 Describe monitoring methodology and documentation undertakings associated with compliance maintenance

Change management

 Describe change management routines proposed to address compliance or other service changes:

 Backward-compatible changes.  Non backward-compatible changes.

Registrations and physical locations

 In which countries are you registered as a company (include branch offices and any kind of subsidiaries).

 From which countries do you physically provide the proposed services? Can we choose to bypass specific country installations, and if so at what additional charges if any?

Documentation

 Within what time from our request can we, our customers or their trading partners obtain historical documentation describing the relevant services and associated controls including those performed by third parties as part of your service provision? How is document management and retrievability of such documentation ensured?

Archiving services

 Where are invoices physically stored?

 Do you store separate objects for supplier and buyer if both use your archiving service?

 How is online access ensured within a reasonable time upon request by an auditor?

 What search criteria are available?

(12)

 Describe how integrity and authenticity of an archived invoice can be ascertained within a reasonable time upon request by an auditor:

o For signed invoices.

o For invoices exchanged under the EU EDI method.

o When integrity and authenticity are ensured through business process audit trails or other methods.

 Describe how you ensure separation among different legal entities using the archive.

 Describe how off-boarding of all invoices of a legal entity can be arranged, and what additional fees if any are charged for this process.

 Describe whether you take responsibility for deletion, prolongation etc of the archiving period and if so, in compliance with what laws:

o VAT/GST law. o Commercial law. o Accounting law.

 Describe archiving-specific controls used for ensuring protection against unauthorized access, deletion, copying, modification etc.

Involuntary service discontinuation

 What contractual, technical or other measures do you propose to mitigate the risk of bankruptcy, merger etc jeopardizing your ability to meet contractual and legal requirements in relation to the services offered?

Customer / Business oriented

 Is electronic ordering supported?

 Is reconciliation between orders and invoices supported?

 Does your reconciliation function expect an equal number of invoice lines compared to the order lines to perform reconciliation?

 Are PO line/subline/date considered mandatory invoice data elements?  Are default invoice data element validation rules applied?

 Can customers request specific data element validations rules to be applied?  Is there 24 hour helpdesk support available for problem handling?

 Is a reporting functionality available? (e.g. status of invoices, etc)  What SLAs are in place?

(13)

2.4 Step 4: Design and implement

Based on the detailed action plan, an implementation project should be defined and executed. While this can to a large extent be outsourced to specialized development and implementation resources, the internal team must be fully involved in all implementation phases. In particular detailed design should not be left to technical experts only, but should rather be based on the strategy and be tested against the desired outcomes in terms of level of external invoice auditability across jurisdictions etc.

2.5 Step 5: Execution of Change management

The design should above all make it easy and inexpensive to effect changes driven by the evolution of legal requirements – among other things this means reducing reliance for legal compliance purposes on complex processes that are difficult and expensive to change.

The team should make sure there is a methodology for monitoring and addressing:

 Technology changes

 Organizational changes

 Legal changes